# SecureHeal Arena - API Reference Complete reference for every endpoint exposed by the SecureHeal Agent backend on Hugging Face Spaces. **Base URL:** `https://ravindraog-secureheal-trainer.hf.space` --- ## GET /health Returns the current health status of the Space and whether the model is loaded. **Request:** ``` GET /health ``` **Response (200):** ```json { "status": "healthy", "model_loaded": true, "model": "Nitesh-Reddy/secureheal-agent-v2" } ``` **When to use:** Call this before any scan request to confirm the Space is awake and the model is ready. If `model_loaded` is `false`, wait 1-2 minutes and retry. --- ## POST /scan Scans a code snippet provided as a JSON body. Runs the full 3-agent debate pipeline (Alpha scanner, Beta attacker, Gamma defender) and returns the combined analysis along with any tool calls the agents produced. **Request:** ``` POST /scan Content-Type: application/json ``` **Body:** | Field | Type | Required | Default | Description | |-------|------|----------|---------|-------------| | `code` | string | Yes | - | The source code to analyze | | `context` | string | No | `"web application"` | Describes the application type (e.g. "flask api", "express server") | | `max_tokens` | integer | No | `512` | Maximum tokens for the model response | **Example:** ```json { "code": "cursor.execute(f\"SELECT * FROM users WHERE id = {user_id}\")", "context": "flask api", "max_tokens": 512 } ``` **Response (200):** ```json { "vulnerabilities_found": true, "tool_calls": [ { "tool": "scan_code", "args": {} }, { "tool": "simulate_attack", "args": { "payload": "1 OR 1=1" } }, { "tool": "apply_patch", "args": { "patch_code": "cursor.execute(\"SELECT * FROM users WHERE id = ?\", (user_id,))" } } ], "analysis": "[AGENT ALPHA - RECON SCANNER]\n..." } ``` **Error Codes:** - `503` - Model is still loading. Retry after a short wait. --- ## POST /scan/file Uploads a source code file for vulnerability scanning. This is what the SecureHeal CLI (`secureheal_cli.py`) calls under the hood. Supports `.py`, `.js`, `.ts`, `.java`, `.go`, `.rb`, `.php`, and more. **Request:** ``` POST /scan/file Content-Type: multipart/form-data ``` **Fields:** | Field | Type | Required | Default | Description | |-------|------|----------|---------|-------------| | `file` | file (binary) | Yes | - | The source code file to scan | | `context` | string (form) | No | `"web application"` | Application type hint | | `max_tokens` | integer (form) | No | `512` | Maximum tokens for the model response | **Example (curl):** ```bash curl -X POST https://ravindraog-secureheal-trainer.hf.space/scan/file \ -F "file=@vulnerable_app.py" \ -F "context=flask api" \ -F "max_tokens=512" ``` **Response (200):** ```json { "vulnerabilities_found": true, "tool_calls": [ ... ], "analysis": "...", "filename": "vulnerable_app.py" } ``` **Notes:** - Files larger than 8000 characters are automatically truncated to fit the model context window. - The `filename` field in the response echoes back the uploaded file name. **Error Codes:** - `400` - File is not a valid text/source code file. - `503` - Model is still loading. --- ## POST /agent A free-form prompt endpoint. Send any text prompt to the SecureHeal agent and get back a raw response along with any parsed tool calls. This is useful for custom queries outside the standard scan workflow. **Request:** ``` POST /agent Content-Type: application/json ``` **Body:** | Field | Type | Required | Default | Description | |-------|------|----------|---------|-------------| | `prompt` | string | Yes | - | Free-form text prompt for the agent | | `max_tokens` | integer | No | `512` | Maximum tokens for the response | **Example:** ```json { "prompt": "Explain the OWASP Top 10 vulnerability categories and which ones apply to Python Flask apps.", "max_tokens": 256 } ``` **Response (200):** ```json { "response": "The OWASP Top 10 covers...", "tool_calls": [] } ``` **Error Codes:** - `503` - Model is still loading. --- ## GET / (Gradio Dashboard) The root path serves the **VS Code-style Gradio IDE Dashboard**. This is the visual interface that judges and users see when they visit the Hugging Face Space directly. It is mounted as a Gradio app on top of the FastAPI backend. **URL:** `https://ravindraog-secureheal-trainer.hf.space/` This is not an API endpoint in the traditional sense. It renders the interactive web UI. --- ## Data Models ### VulnerabilityReport Returned by `/scan` and `/scan/file`. | Field | Type | Description | |-------|------|-------------| | `vulnerabilities_found` | boolean | Whether the agent detected any issues | | `tool_calls` | array of ToolCall | Parsed tool calls from the agent output | | `analysis` | string | Full text of the multi-agent debate log | | `filename` | string or null | Original filename (only for `/scan/file`) | ### ToolCall | Field | Type | Description | |-------|------|-------------| | `tool` | string | Name of the tool called (e.g. `scan_code`, `apply_patch`) | | `args` | object | Arguments passed to the tool | ### AgentResponse Returned by `/agent`. | Field | Type | Description | |-------|------|-------------| | `response` | string | The agent's text response | | `tool_calls` | array of ToolCall | Any tool calls parsed from the response | --- ## Rate Limits and Constraints - The Hugging Face Space runs on a **T4 GPU** with limited concurrency. - Each scan triggers three sequential model inferences (Alpha, Beta, Gamma), so expect response times of 30 to 90 seconds depending on code length. - Files over 8000 characters are truncated. - If the Space has been idle for a while, the first request will take longer because the model needs to load into GPU memory. --- ## Related Documentation For a complete overview of the SecureHeal Arena project, please refer to: - [README.md](README.md) - Project overview, architecture, and quick start guide. - [TRAINING_EVIDENCE.md](TRAINING_EVIDENCE.md) - Training curves, reward architecture, and performance benchmarks. - [project_context.md](project_context.md) - Detailed hackathon strategy and execution plan. - [hf_blog_post.md](hf_blog_post.md) - Short blog post explaining the project. - [secureheal_cli.py](secureheal_cli.py) - CLI source code that calls these endpoints. - [training/train_hf_job.py](training/train_hf_job.py) - GRPO training script. --- *Prepared for the Meta PyTorch OpenEnv Hackathon India 2026 by team codeXcreators.*